Showing papers on "Authentication server published in 2007"

Provision of secure communications connection using third party authentication

Abstract: The present invention relates to communications, and in particular though not exclusively to forming a secure connection between two untrusted devices. The present invention provides a method of securely connecting a first device (A) to a second device (B) using a third party authentication server (AS) coupled to the second device, the first device and the authentication server both having first device shared secret data (SSDa) and the second device and the authentication server both having second device shared secret data (SSDb). The method comprises receiving a request from the first device at the authentication server; the authentication server and the first device both generating a first device key (K_A) using the first device shared secret data in response to a first device random number (RANDa) sent from the authentication server to the first device; the authentication server and the second device both generating a second device key (K_B) using the second device shared secret data in response to a second device random number (RANDb) sent from the authentication server to the second device; and the authentication server securely forwarding to the second device (B) and the first device (A) a common key (K_AB) using the second and first device keys (K_B, K_A).

System and method for performing user authentication based on user behavior patterns

Abstract: A system and method for performing user authentication based on behavior patterns of a mobile terminal user is disclosed. The system includes a mobile terminal having an input unit configured to receive authentication information from a user, an authentication unit configured to extract behavior patterns of the user based on the authentication information, and a data communication unit configured to transmit the authentication information and the behavior patterns to an authentication server. The behavior patterns extracted based on the authentication information includes the user's characteristic behavior patterns such as typing patterns, motion patterns, voice patterns and writing patterns. Such behavior patterns represent both the authentication information and the behavior characteristics of the user, which increases the security level of the system. The authentication server may perform two stages of user authentication processes. In a first user authentication stage, the authentication server compares the received authentication information with those stored in an authentication information database. If a claimed identity of a user is verified at the first user authentication stage, then a second user authentication stage may be performed by comparing the received behavior patterns with those stored in the authentication information database.

Method, system and server for realizing secure assignment of dhcp address

Abstract: A method, a system and an authentication server for realizing a secure assignment of a DHCP address are disclosed. The method includes: sending a DHCP Discovery message via an access network; obtaining the identification information of the DHCP client and performing an authenticating to the DHCP client based on the identification information; and only assigning the address to the DHCP client has passed the authentication. Therefore, in the present invention, access authentication may be performed on a subscriber according to location information, and IP address is only assigned to the valid subscriber and terminal. Therefore, the security of the address assignment in DHCP mode may be enhanced greatly. Moreover, in the present invention, addresses may be managed by an AAA server unitedly, or the addresses may be assigned after being authenticated by the AAA server successfully.

Charged information acquisition system and method, and charge realizing system and method

Abstract: The fare charging info collect system includes a filter condition management module (FCM) for setting and storing the filter condition being useful for flow analyze and control, a flow analyze module (FA), according to the filter condition, analyzes the business flow that mobile terminals access the data business, draws the data business content character code, business beacon and the business type info, a filter condition management interface module (FCMI) connecting FCM and FA, a authentication interface module (AI) sending the business content character code to the authentication server to authenticate A fare charge interface module (FCI) sends the business beacon and the business type to the fare charging sub-system to charge Via supporting user to set and modify dynamically the filter rule, this scheme extends user business features, eg QOS and safety features

Biometric authentication system, enrollment terminal, authentication terminal and authentication server

Abstract: The present invention captures user's biometric data during enrollment and converts it by a given conversion parameter to create a template. It creates verification information for the conversion parameter, and enrolls it in an authentication server together with the template. The conversion parameter is stored in an IC card or the like for issuance to the user. During authentication, the authentication server verifies that the authentication terminal knows the conversion parameter, using conversion parameter verification information. Next, the authentication terminal converts user's biometric data newly captured by a conversion parameter to create matching information, and transmits it to the authentication server. The authentication server matches the matching information with the template to determine whether the user is a principal.

Authentication methods and apparatus using pairing protocols and other techniques

Abstract: In one aspect, a first processing device, which may be an authentication token, establishes a shared key through a pairing protocol carried out between the first processing device and a second processing device. The pairing protocol also involves communication between the second processing device and an authentication server. As part of the pairing protocol, the first processing device sends identifying information to the second processing device, and the second processing device utilizes the identifying information to obtain the shared key from the authentication server. The first processing device encrypts authentication information utilizing the shared key, and transmits the encrypted authentication information from the first processing device to the second processing device. The second processing device utilizes the shared key to decrypt the encrypted authentication information.

Method and apparatus for authenicated on-site testing, inspection, servicing and control of life-safety equipment and reporting of same using a remote accessory

Abstract: A method, apparatus, remote accessory and authentication server are provided for facilitating operations such as an authenticated test of life safety equipment having components including a control panel and sensors The life safety equipment requires testing according to a fire code An access procedure is conducted to identify equipment and testing requirements and to establish a communication session between the equipment and an authentication server during an authenticated test Another access procedure is conducted to provide access for a remote device for facilitating the authenticated test and to establish a communication session between the remote device and an alarm system or authentication server, or the like Information associated with an impending activation of one of the sensors is received from the remote device and information associated with the sensor, when activated, is reported if detected by the alarm system, to the authentication server and the reported activation information is forwarded to the remote device Authentication information associated with the activated sensor whether or not detected is received from the remote device and an authenticated report is forwarded to the remote device when all of the alarm condition sensors are tested according to test procedures

Methods and apparatus for delegated authentication

Abstract: An authentication-delegating service implemented in an authentication server or other processing device is configured to receive a request from a relying party for delegated authentication information associated with a particular user, to determine a level of trust associated with the relying party, and to provide the delegated authentication information to the relying party if the relying party has a sufficient level of trust, so as to permit the relying party to authenticate the user based on the delegated authentication information. The delegated authentication information has the property that the user can be presently authenticated based on such information. The delegated authentication information may comprise, for example, at least one value derived from a one-time password or other authentication credential of the particular user. The authentication-delegating service may be graded to provide different types of delegated authentication information based on respective levels of trust that may be associated with relying parties.

System, program and recording medium for billing data communication fee, and method of billing data communication fee

Abstract: PROBLEM TO BE SOLVED: To provide a system or the like for billing a data communication fee, which can make account separately between official and private expenses when accessing a predetermined network 16 in a business-related matter, and which is also highly reliable as viewed from the carrier side. SOLUTION: When a mobile party purchases a communication token T for a given network 16, the mobile party transmits the ID of the mobile phone 10 to a communication token issuing server 40 through the web server 30. The communication token T is generated based on the ID and transmitted to a PC 20 through the web server 30 and the mobile phone 10. After once disconnecting between the mobile phone and the network 15 for contents of the mobile phone, the mobile party tests the use of the predetermined network 16 through an authentication server 50 using the ID and the communication token T. The ID and the communication token T are transmitted to the communication token issuing server 40 and the validity of the communication token T is authenticated. The amount of the fee for data communication of the mobile phone 10, from which the fee for the communication token T is deducted, is charged to a billing destination on the mobile phone 10 side, and the fee for the communication token T is charged to another billing destination. COPYRIGHT: (C)2009,JPO&INPIT

Method and apparatus for establishing security associations between nodes of an ad hoc wireless network

Abstract: A method and apparatus for establishing security associations between nodes of an ad hoc wireless network includes two authentication steps: an initial first contact step (authentication, authorization, and accounting (AAA)-based authentication), and a 'light-weight' step that reuses key material generated during first contact. A mesh authenticator within the network provides two roles. The first role is to implement an 802.1X port access entity (PAE), derive transient keys used for encryption with a supplicant mesh point via a four-way handshake and take care of back end communications with a key distributor. The second role is as a key distributor that implements a AAA-client and derives keys used to authenticate a mesh point during first contact or fast security association. The key distributor and the on-line authentication server can communicate to one another without these messages being transported over mesh links.

Apparatus and Method for Downloading SIM Data in Mobile Communication System

Abstract: Provided are an apparatus and a method for downloading Subscriber Identity Module (SIM) data in a mobile communication system, which includes an authentication server that stores authentication information and a list of registered networks; a service provider server that stores SIM data and transmits the SIM data in response to a request for the SIM data; and a mobile communication terminal that receives user authentication from the authenticating server, checks the list of the networks, allows a network, which is to be accessed, to be selected from among the list of the networks, and accesses the service provider server in the selected network so as to download the SIM data.

System and Method for Distributed Network Authentication and Access Control

Abstract: A user gains access to a private network by connecting to a network, either through a hardwired or wireless connection, and then initiates an Internet access request targeting any website. If the user is not already authorized for Internet access, then the user is sent to a first predetermined website that points the user to an authentication server accessible via the Internet. The authentication server sends the user an HTTP form pages requesting authentication information. When the user responds, a network monitoring device within the private network alters the form page to include the user's hardware address and an encoded ID based on the network's location. The authentication server forwards this data to a gate keeper server, which authenticates the new user and transmits an unblock message along with another encoded ID based on the network's location and the user's hardware address.

SFRIC: A Secure Fast Roaming Scheme in Wireless LAN Using ID-Based Cryptography

Abstract: In a wireless network composed of multiple access points, a long delay during roaming from one access point to another may cause a disruption for streaming traffic. Roaming in wireless LAN is generally composed of two parts, 1) searching for a new access point and 2) performing authentication at the new access point. To reduce the second part delay, we propose an innovative lightweight authentication scheme called SFRIC (secure fast /foaming using ID-based cryptography). SFRIC employs ID-based cryptography to simplify the authentication process. It performs mutual authentication for the mobile client and AP with a 3-way handshake, then generates a PTK (pairwise transient key) directly without pre-distributing PMK (pairwise master key). It does not require contacting an authentication server or exchanging certificates. SFRIC is composed of two phases. In the first phase (the preparation phase), each mobile client obtains a temporary private key from the PKG (private key generator). In the second phase (the roaming authentication phase), mutual authentication and key distribution are performed. Our preliminary analysis indicates that SFRIC can complete the roaming authentication within a period much less than the critical 20 ms threshold, required for maintaining streaming traffic, when the cryptographic operations are performed in hardware.

Method and system for providing an access specific key

Abstract: Method for providing an access specific key for securing of a data transfer between a mobile terminal (1) and a node of an access net (2), wherein with an authentication of the mobile terminal (1), a authentication server (4A) generates a session key, from which a basic key is derived and transferred to a interworking-proxy-server (7). The interworking-proxy-server derives the access specific key from the transferred basis key and provides said key to the node of the access net (2).

Method and apparatus for preventing phishing attacks

Abstract: The invention includes a method and apparatus for preventing phishing attacks. A first method, for informing a user that a remote server is valid, includes receiving a request for information available from the remote server where the request includes an identifier, obtaining a dynamic personal attribute associated with the user using the identifier, and propagating the dynamic personal attribute toward the user, wherein the dynamic personal attribute is adapted for use by the user in validating the remote server. The remote server may be a web server, an authentication server, or any other remote device with which the user may desire to authenticate. A second method, for informing a user that a received message is associated with a valid website, includes obtaining a dynamic personal attribute associated with a user, generating a message for the user where the message is adapted to enable the user to request a website and includes the dynamic personal attribute associated with the user, and propagating the message toward the user. The received message may be any type of message, such as an email message, an instant message, a text message, and the like.

Access control system based on a hardware and software signature of a requesting device

Abstract: A system and method for the authorization of access to a service by a computational device or devices, which may include a wireless device such as a cell phone or a smart phone. A software agent generates a digital signature for the device each time it attempts to access the service and send it to an authentication server, which compares the digital signature sent with one or more digital signatures on file to determine whether access to the service is permitted. The digital signature is generated by using hashes based on software and hardware configuration data collected from the device. The system may be used in conjunction with other authorization methods and devices.

Long-distance identity-certifying system, terminal, servo and method

Abstract: The system comprises: a terminal with the human-face image detecting function and the voice data acquiring function, a communication network and a personal identification server. Wherein, the terminal with the human-face image detecting function and the voice data acquiring function embeds the acquired voice data into the detected human-face image, and sends the human-face image embedded with the voice data to the personal identification server; the identification authentication server separates the voice data from the human-face image, and respectively authenticate the human-face image and the voice data, and then combines them; the authentication result is sent to the terminal.

Image processing system, image managing device, method, storage medium and image processing device

Abstract: An authentication server receives user information from an MFP, and acquires information on a service available for the user. The authentication server creates information on a menu screen having a selection function of selecting the service available for the user based on the acquired service information. The MFP receives the customized menu screen provided from the authentication server, and displays the menu screen on a display device.

Computer readable medium, authenticating method, computer data signal, authentication server, and single sign-on authentication system

Abstract: A computer readable medium storing a program causing a computer to execute a process for authenticating a user in a site included in an authentication system in which a plurality of sites are linked each other, the process comprising: receiving authentication information; authenticating the user in a first site of the authentication system based on the received authentication information; receiving suspicious behavior information of the user; registering the received suspicious behavior information; determining reliability of the user based on the suspicious behavior information registered in registering of the behavior information registration; in a case where the user accesses a second site of the authentication system, adding the reliability of the user determined, and transmitting the authentication information to which the reliability is added to the second site; and determining a function to be provided to the user in the first site based on the reliability of the user.

Method and system for managing access to protected computer resources provided via an internet protocol network

Abstract: A method and system for controlling access, by an authentication server, to protected computer resources provided via an Internet Protocol network that includes storing (i) a digital identification associated with at least one client computer device, and (ii) data associated with the protected computer resources in at least one database associated with the authentication server; authenticating, by the authentication server, the digital identification forwarded by at least one access server; authorizing, by the authentication server, the at least one client computer device to receive at least a portion of the protected computer resources requested by the at least one client computer device, based on the stored data associated with the requested protected computer resources; and permitting access, by the authentication server, to the at least the portion of the protected computer resources upon successfully authenticating the digital identification and upon successfully authorizing the at least once client computer device.

Cryptographic key management in communication networks

Abstract: An authentication server and a system and method for managing cryptographic keys across different combinations of user terminals, access networks, and core networks. A Transformation Coder Entity, TCE, (25) creates a master key, Mk, which is used to derive keys during the authentication procedure. During handover between the different access types, the Mk or a transformed Mk is passed between two authenticator nodes (42, 43, 44) that hold the key in the respective access networks when a User Equipment, UE, terminal (41, 51, 52, 53) changes access. The transformation of the Mk is performed via a one-way function, and has the effect that if the Mk is somehow compromised, it is not possible to automatically obtain access to previously used master keys. The transformation is performed based on the type of authenticator node and type of UE/identity module with which the transformed key is to be utilized. The Mk is never used directly, but is only used to derive the keys that are directly used to protect the access link.

Security Analysis of a Nonce-Based User Authentication Scheme Using Smart Cards*This work was supported by the Korean Ministry of Information and Communication under the Information Technology Research Center (ITRC) support program supervised by the Institute of Information Technology Assessment (IITA).

Abstract: A remote user authentication scheme is a two-party protocol whereby an authentication server in a distributed system confirms the identity of a remote individual logging on to the server over an untrusted, open network. Recently, Lee et al. have proposed an efficient nonce-based scheme for remote user authentication using smart cards. This work reviews Lee et al.'s authentication scheme and provides a security analysis on the scheme. Our analysis shows that Lee et al.'s scheme does not achieve its basic aim of authenticating remote users and furthermore has a very hazardous method for changing passwords. In addition, we recommend some changes to the scheme so that it can attain at least its main security goal.

Method of creating security associations in mobile ip networks

Abstract: A key distribution scheme is provided, which is useful for establishing, distributing, and maintaining security associations in a Mobile IP network. An authentication server performs an initial validation of a new session and generates a root key which it delivers to the initial access gateway and to the home agent. The initial access gateway and the home agent each independently compute a derivative key available only to themselves. The initial access gateway, acting as proxy for the mobile station, uses the derivative key to sign the Mobile IP registration or binding update transactions, and sends the signed registration or binding update to the home agent for validation. Once the session is established between the mobile station and the home agent, the access gateways act as proxies on behalf of the mobile station to maintain the session mobility. In handoff, the new access gateway acquires the root key as part of the transferred session context. The new access gateway, acting as proxy for the mobile station, computes a new derivative key from the root key and uses it to sign a binding update.

Dynamic cipher authentication method, system and device

Abstract: This method includes the relation between the user's account number and the tag info about storing dynamic code generator (DCG) and the preset algorithm (PA) of DCG. The user end (UE) sends the authentication request to the authentication server (AS). The latter returns a generating challenge code (CC). According to CC, DCG generates 1st dynamic code (DC) by means of PA. UE sends to AS the authentication info including user account number and the 1st DC. The AS confirms the tag info of the related DCG via the user account number, and then obtains PA of DCG. The 2nd DC is obtained from PA and calculating the CC. The authentication will be passed if the 1st DC is equal to the 2nd. This can prevents effectively code leakage from network attack, e.g. interception, peep, social engineering, etc.

Authentication factors with public-key infrastructure

Abstract: A user access control system comprising a workstation coupled to a computer network and operable to receive a request for an authenticated access to the computer network, and to prompt for and receive one or more credentials associated with the request, a gating authentication server coupled to the computer network and operable to receive the one or more credentials and to provide as a gating factor an authenticated credential, and a public key infrastructure server coupled to the computer network and operable to generate private/public key pairs associated with the authenticated credential, wherein the private/public key pairs are either generated after a request for access to the computer system has been received at the workstation and the gating authentication server has authenticated the one or more credentials provided through the workstation, or the private/public key pairs are retrieved from a previously generated virtual smart card based on the authentication credential.

System and method of providing security

Abstract: A method and system for providing security between a service providing server and a user device, the system including: a user device to request a service and to transmit a packet including a first public key; an authentication server to receive the packet, to authenticate the user device based on the first public key, to generate a secret key if the user device is authenticated, and to transmit the secret key to the user device; and a service providing server to check an integrity of the user device by using information for an integrity attestation having the secret key, and to provide the service to the user device according to the integrity of the user device. When the remote integrity attestation of the user device is implemented by the service providing server, the anonymity of the user device is guaranteed and the integrity of the user device is authenticated.

Sim based authentication

Abstract: A method of authentication in a communications network, said communications network comprising a network authentication server, a local authentication entity and a user terminal, said local authentication entity comprising a subscriber application and an authentication application, said method comprising the steps of: sending a request from the local authentication entity to the network authentication server to authenticate the user terminal, said request comprising the identity of the user terminal; generating by the network authentication entity an authentication key in response to the request and generating by the subscriber application an identical authentication key; sending the authentication key generated by the network authentication server securely to the user terminal identified by said identity, then storing the authentication key at the user terminal; sending the authentication key generated by the subscriber application securely to the authentication application, then storing the authentication key at the authentication application; and authenticating the user terminal by verifying the authentication key stored at the user terminal with the authentication key stored at the authentication application.

Communication control system

Abstract: The present invention relates to a communication control system, and provides specifically a peer-to-peer (P2P) communication control system making it possible to effectively exploit P2P communication within an organizational network. The communication control system includes: an authentication server that authenticates a terminal which requests subscription to a network, sends communication priority information to the terminal whose subscription is permitted, and delivers communication regulation information based on the communication priority information to a router which accommodates the terminal; a terminal that uses a packet, to which the communication priority information sent from the authentication server is appended, to perform communication after having subscription thereof permitted; and a router that monitors the packet sent from the terminal, and imposes a communication regulation on the terminal according to the communication regulation information based on the communication priority information and delivered from the authentication server.

Method and Apparatus for Remote Administration of Cryptographic Devices

Abstract: Techniques are disclosed for performing operations in an authentication token or other cryptographic device in a system comprising an authentication server. In one aspect, a code generated by the authentication server is received in the cryptographic device. The code may have associated therewith information specifying at least one operation to be performed by the cryptographic device. The cryptographic device authenticates the code, and responsive to authentication of the code, performs the specified operation. If the code is not authenticated, the operation is not performed. The code may be determined as a function of a one-time password generated by the authentication server. The function may also take as an input an identifier of the operation to be performed.

Method and apparatus for binding multiple authentications

Abstract: Techniques for binding multiple authentications for a peer are described. In one design, multiple authentications for the peer may be bound based on a unique identifier for the peer. The unique identifier may be a pseudo-random number and may be exchanged securely between the peer, an authentication server, and an authenticator in order to prevent a man-in-the-middle attack. Data for all authentications bound by the unique identifier may be exchanged securely based on one or more cryptographic keys generated by all or a subset of these authentications. In another design, multiple levels of security may be used for multiple authentications for a peer. The peer may perform a first authentication with a first authentication server and obtain a first cryptographic key and may also perform a second authentication with the first authentication server or a second authentication server and obtain a second cryptographic key. The peer may thereafter securely exchange data using the two keys using nested security.